CTI Roundup: Fake Google Sites Pages, Hackers Target Global Governments

This week CTI looks at a recently discovered malware campaign that leverages fake Google Sites pages and HTML smuggling to distribute Azorult malware. Next CTI provides key takeaways from Imperva’s “State of API Security” report which looks at the current API security landscape. CTI also breaks down an ongoing advanced persistent threat (APT) campaign that’s targeting several government entities across the world.

1. Hackers spread malware through fake Google Sites pages

A recently discovered malware campaign is leveraging fake Google Sites pages along with the HTML smuggling technique to distribute a type of malware known as Azorult.

In this campaign, the payload is embedded in a separate externally hosted JSON file. The fileless Azorult infostealer is later executed via reflective code loading to bypass detection and minimize artifacts.

Google Sites for HTML smuggling

Netskope uncovered this latest activity involving fake Google Docs pages on Google Sites that were used by threat actors for HTML smuggling to download malicious payloads.

The threat actor behind this activity tricks its victims into visiting fake Google Docs pages and has them download a file they believe to be from Google Docs. In this campaign, the threat actor embedded the malicious payload within a JSON file so that when the victim accessed the site, it would send a GET request to download the JSON file.

The threat actor also leveraged CAPTCHA to avoid URL scanners. Once the victim moves through the CAPTCHA, the HTML smuggling code reconstructs the payload and downloads it. The downloaded payload is a LNK file that uses the PDF icon to make users believe it is a legitimately downloaded file from Google Docs. The malware ultimately downloaded is the Azorult information-stealing malware.

Azorult fileless malware loading

The campaign executes the Azorult information stealer in memory via reflective code loading as an additional defense evasion technique. In other words, it loads code into a running PowerShell process’s own memory and therefore does not leave as many artifacts behind.

To do so, a PowerShell script is executed to bypass the AMSI, or antimalware scan interface. Then, a second PowerShell script is executed to download the Azorult loader, define a shellcode, and execute a routine that will load both the shellcode and the executable into process memory.

What is Azorult malware?

Azorult has been around since 2016. It begins by taking a screenshot of the device’s screen and saving it as a JPEG. It then moves on to gather browser data including Chrome’s login data, local state, cookies, and web data. It applies the same routine to Firefox as well. The malware copies crypto wallet data before searching for sensitive files on the desktop. It searches for specific file extensions like TXT, AXX, DOC, XLS, KDBX, DOCX, and XLSX. It will also search for file names including specific keywords like backup, wallet, ledger, and secret. Once it has the information it needs, it writes the data to a memory stream that is later exfiltrated to the C2.

Analyst comments from Tanium’s Cyber Threat Intelligence team

HTML smuggling is a technique that is increasingly being used by threat actors to deliver malware, hence the difficulty in being able to attribute this activity to a specific actor.

As Netskope points out, “Unlike common smuggling files where the blob is already inside the HTML code, this campaign copies an encoded payload from a separate compromised site.”

This supports the fact that threat actors are increasingly using this technique, and also modifying it to further evade detection.

2. Cybercriminals take advantage of APIs

Imperva recently released its “State of API Security” report, which looks at the current API security landscape based on attacks targeting APIs.

Imperva found that APIs are now a popular attack vector for threat actors given their direct line to access sensitive data. The report covers API attack trends along with recommendations on how to improve API security posture.

Top API vectors to know about

Imperva analyzed API attack vectors observed over the course of the last year. Business logic topped the list, accounting for 27% of all attacks on APIs — a 10% increase from the prior year.

This type of attack happens when a threat actor looks to “exploit the intended functionality of an API for malicious purposes, such as the exfiltration of sensitive data or disrupting a mission-critical application.” Detecting API business logic abuse can be difficult because the attacks closely mimic legitimate usage.

The next top vector, at 19%, is attacks that stem from automated agents or “bad bots.” Imperva also looked at the top industries with high numbers of API calls and therefore high numbers of bot traffic. They found that the banking and finance sector accounts for 31%, followed by eCommerce and retail at 17.9%, and technology at 7.1%. While not all bot traffic is malicious, this data coupled with the number of API calls is a pattern worth looking at.

API account takeovers are another type of common attack. This happens when a threat actor exploits a vulnerability within an API’s authentication process to get access to user accounts. Imperva found that 45.8% of all attacks they recorded targeted API endpoints, representing an 11% increase from the previous year.

Mismanaged API endpoints

Imperva’s report dives into three common types of mismanaged API endpoints that increase the risk of these attacks.

• Shadow APIs are undocumented or undiscovered APIs. They are essentially APIs that were forgotten about and Imperva estimates this makes up 4.7% of an organization’s active APIs.
• Deprecated APIs are API endpoints that lack updates and are more open to attacks.
• Unauthenticated endpoints are typically introduced by a misconfiguration or oversight.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Threat actors are constantly looking for new attack vectors and are keeping an eye on the overall ecosystem to identify potentially lucrative targets.

One of the reasons that APIs are likely an attractive target to threat actors is the fact that organizations don’t always have complete visibility into their APIs.

As Imperva continually notes in their report, these attacks are difficult to detect. “The dynamic nature of API interactions and the sheer volume of legitimate requests make it hard for traditional security measures to discern malicious activities,” the report states.

Because threat actors use various techniques to target APIs, different mitigation types are needed to ensure full coverage. Imperva offers mitigation tips in its report.

3. APT campaign targets global government entities

Researchers have been tracking an APT campaign since 2022 that targets several government entities across the world.

The campaign — which researchers are attributing to a threat actor called Earth Krahang — accesses public infrastructure to further attack other government entities. The threat actor uses this access to host malicious payloads, proxy attack traffic, and send spear-phishing emails from compromised government email accounts. The actor also recently built a VPN server on a compromised public-facing server to obtain persistent access into the private network of the victim.

Reconnaissance and initial access

One of the infection vectors in this campaign involves scanning public-facing servers. The threat actor leverages open-source tools to search for .git or .idea. This actor will also occasionally brute force directories directly. The actor is looking for potentially unmaintained servers and aims to access servers to drop web shells and install backdoors. In some instances, the threat actor will also leverage spear phishing.

Trend Micro has observed Earth Krahang obtaining hundreds of email addresses from the target during the reconnaissance phase. In one specific example, the threat actor leveraged a compromised mailbox of a government employee to send a malicious document to 796 other email addresses belonging to the same government entity. The actor also abuses trust established between government entities to further their attacks.

Post exploitation activity

This threat actor is known to install the SoftEther VPN on the public-facing servers it is able to compromise. The SoftEther server executable is then renamed to blend in with legitimate files on the system.

This VPN is then used to connect to the victim’s network and carry out further post-exploitation activities. Some observed post-exploitation activity includes establishing backdoor persistence via scheduled tasks, enabling remote desktop connections, accessing credentials, scanning the network, performing lateral code execution, exploiting vulnerabilities for privilege escalation, and more.

Email exfiltration

The threat actor was observed brute forcing Exchange servers via the OWA portals of its victims. The actor uses a custom Python script targeting the ActiveSync service on the OWA server to carry out this attack. In addition, this actor has used the open-source tool known as Ruler to brute force email credentials. Another Python script was also used to exfiltrate emails from a Zimbra server.

Earth Krahang’s malware

Earth Krahang has delivered a range of malware throughout this long campaign including Cobalt Strike and two different custom backdoors including REDSHELL and XDealer.

REDSHELL was primarily used during the campaign in 2022. The actor has since shifted to primarily use XDealer which has both Windows and Linux variants available.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Trend Micro claims to have identified 48 compromised government organizations. An additional 49 government organizations were also targeted. These numbers are staggering, but the campaign has been ongoing since at least 2022 giving the threat actor ample time to execute attacks.

While the campaign has targeted other sectors, it overwhelmingly goes after government entities and leverages compromised government emails. That said, it’s important to develop a “healthy skepticism when it involves potential security issues and developing habits such as refraining from clicking on links or opening attachments without verification from the sender.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.